With the spread of Internet networks, various information processors are subjected to computer virus and cracking attacks, and there is an increasing possibility that the information processors are threatened by these attacks.
For example, recently, computer viruses such as “Nimuda” and “CodeRed” spread itself using the vulnerability (security holes) of application programs such as system programs or web browsers, and caused considerable damage.
In the above-mentioned computer viruses and cracking attacks, attack data containing an instruction code to perform a malicious process (hereinafter referred to as the malicious code) is sent to information processors such as servers and personal computers subjected to the attacks, and the instruction code is executed in the information processors. As such an attacking technique, a variety of techniques exist, and one known example is an attacking technique using a buffer overflow. With a buffer overflow attack, in a buffer ensured for a stack, writing is performed in a stack area exceeding the ensured buffer, and when an information processor falls in a buffer overflow condition, an unexpected variable breakdown occurs and may cause an erroneous operation of the program. The buffer overflow attack intentionally causes an erroneous operation of the program and, for example, acquires the administrative right of the system.
In order to deal with these computer virus and cracking attacks, a conventional technique detects whether or not received data contains a specific bit pattern which is seen in malicious code. If the received data contains such a bit pattern, the received data is judged to be attack data containing malicious code, and the process for blocking reception of the data and informing the user of the fact is performed.
Thus, in order to deal with various computer virus and cracking attacks with the conventional technique, it is necessary to store specific bit patterns corresponding to respective computer viruses and cracking in a database in advance, and, when new types of computer viruses and cracking techniques are discovered, the database must be updated to deal with them.
By the say, in a conventional method of detecting attack data, a known bit pattern is detected as described above, or the structure of nonessential portion such as simple repetitions of NOP instructions (NOP: non-operation) of the attacking process is detected. Therefore, the conventional detection method is weak against a variation of attack data, requires an update of the database of bit patterns used for detection whenever unknown attack data appears, and has the problem of time lug until the database is updated.